Had an odd series of events in our firewall today. It was a machine that
had grabbed a dhcp address and was trying to contact irc channels. Looked
like a classic virus infected machine calling home. It was only online
for 12 minutes and just after I did an nmap, it dropped off. I don't
necessarily think those two were related. Instead, I think it was someone
who had dialed in to our corporate network.
What struck me as odd is that I think it may have been an X-BOX. I don't
play games and have never played with one of these boxes. However, when I
did an nbtstat here is what I got:
$ nbtstat -A 192.168.1.49
Local Area Connection:
Node IpAddress: [192.168.1.243] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
HOSTXXXXX <00> UNIQUE Registered
HOSTXXXXX <20> UNIQUE Registered
XBOXHOME <00> GROUP Registered
XBOXHOME <1E> GROUP Registered
MAC Address = 44-45-53-54-42-00
Note: HOSTXXXXX above was actually something besides HOSTXXXXX. The
letters in the place of XXXXX formed an English word but could also be the
first initial + first 4 letters of the last name of an employee we have,
so I obfuscated them.
44-45-53 is an MS hardware MAC address, based on what I could find online.
Here is the result of my initial nmap run:
[root at hol-webInt root]# nmap -PT80 -vv -sT -sU -O 192.168.1.49
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host hostspark.hollandco.com (192.168.1.49) appears to be up ... good.
Initiating Connect() Scan against hostspark.hollandco.com (192.168.1.49)
Adding open port 1025/tcp
Adding open port 5000/tcp
Adding open port 139/tcp
Adding open port 135/tcp
The Connect() Scan took 22 seconds to scan 1601 ports.
Initiating UDP Scan against hostspark.hollandco.com (192.168.1.49)
The UDP Scan took 72 seconds to scan 1468 ports.
Adding open port 123/udp
Adding open port 1900/udp
Adding open port 1646/udp
Adding open port 1812/udp
Adding open port 137/udp
Adding open port 1645/udp
Adding open port 1813/udp
Adding open port 138/udp
Adding open port 500/udp
For OSScan assuming that port 135 is open and port 1 is closed and neither
are firewalled
Interesting ports on hostspark.hollandco.com (192.168.1.49):
(The 3056 ports scanned but not shown below are in state: closed)
Port State Service
123/udp open ntp
135/tcp open loc-srv
137/udp open netbios-ns
138/udp open netbios-dgm
139/tcp open netbios-ssn
500/udp open isakmp
1025/tcp open NFS-or-IIS
1645/udp open radius
1646/udp open radacct
1812/udp open radius
1813/udp open radacct
1900/udp open UPnP
5000/tcp open UPnP
Remote operating system guess: MS Windows2000 Professional RC1/W2K Advance
Server Beta3
OS Fingerprint:
TSeq(Class=RI%gcd=1%SI=49664%TS=0)
T1(Resp=Y%DF=Y%W=402E%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=402E%ACK=S++%Flags=AS%Ops=MNWNNT)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
TCP Sequence Prediction: Class=random positive increments
Difficulty=300644 (Good luck!)
TCP ISN Seq. Numbers: A17F21EF A19DA691 A1BB5E41 A1D56869 A1E70662
A201F222
IPID Sequence Generation: Busy server or unknown class
Nmap run completed -- 1 IP address (1 host up) scanned in 106 seconds
The -PT80 option was there because I had yesterday scanned something on
the internal network that was not responding to pings. I can't say if
this device was ignoring pings or not because by the time I tried, it was
offline.
I did a google search for XBOX IRC and VIRUS, but all I found were
mentions of irc channels to get XBOX games etc. . .
I am assuming that XBOX machines can be infected by viruses. I also
wonder whether XBOX machines can have OS patches applied. Can anyone
point me to any pages that might discuss viruses and XBOXEN? Also, does
anyone know whether my HOSTXXXXX guess above as to the naming convention
is correct?
For what it is worth, here are the ip addresses that this machine tried to
contact during the 12 minutes it was on our network:
193.19.227.66
193.23.224.5
194.146.225.142
195.140.143.37
195.225.204.134
207.36.180.241
207.36.196.16
209.133.93.32
38.114.4.37
64.124.166.200
65.110.15.232
65.110.45.79
65.110.63.209
66.36.249.108
69.0.197.152
69.61.45.150
69.64.34.191
My suspicion is that this was one of our home users who dialed in to our
network and has a home network with an XBOX on it.
---Tim Rushing
The Holland Company